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The VIPER project has so far produced a formal specification of a 32 bit 
RISC microprocessor, an implementation of that chip in radiation-hard SOS 
technology, a partial proof of correctness of the implementation which is 
still being extended, and a large body of supporting software. The time 
has now come to consider what has been achieved and what directions should 
be pursued in future . 

The most obvious lesson from the VIPER project has been the time and effort 
needed to use formal methods properly . Most of the problems arose in the 
interfaces between different formalisms e.g. between the (informal) English 
description and the HOL spec, between the block-level spec in . HOL and the 
equivalent in ELLA needed by the low-level CAD tools. These interfaces 
need to be made rigorous or (better) eliminated. 

VIPER 1A (the latest chip) is designed to operate in pairs, to give 
protection against breakdowns in service as well as design faults. We have 
come to regard redundancy and formal design methods as complementary , the 
one to guard against normal component failures and the other to provide 
insurance against the risk of the common-cause failures which bedevil 
reliability predictions. 

Any future VIPER chips will certainly need improved performance to keep up 
with increasingly demanding applications. We have a prototype design (not 
yet specified formally) which includes 32 and 64 bit multiply, instruction 
pre-fetch, more efficient interface timing, and a new instruction to allow 
a quick response to peripheral requests. Work is under way to specify this 
device in MIRANDA, and then to refine the spec into a block-level design by 
top-down transformations. When the refinement is complete, a relatively 
simple proof checker should be able to demonstrate its correctness . 
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\ ** MINOR STATE LOGIC in NODEN ** \ 

FN INCW0RD3 = (word3: minor) -> word3 
IF (VAL3 minor) = 7 
THEN W0RD3 0 

ELSE W0RD3( (VAL3 minor) +1) 

FI. 


BLOCK MINOR - (bool: nextmainbar advance 

reset intresetbar) 
-> (~word3 : minor): 

IF reset OR (NOT intresetbar) OR 
(advance AND (NOT nextmainbar)) 

THEN W0RD3 0 
ELIF advance 

THEN INCW0RD3 minor 
ELSE minor 
FI. 
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\ .... 'Library' of primitive gate functions **** \ 


FN INV "(bool : a ) 
FN NAND2«(bool: a b ) 
FN EXNOR=(bool: a b ) 
FN ORNAND=(bool : abed) 


-> bool: NOT a. 

-> bool: NAND(a.b). 

-> bool: a = b. 

-> bool: NAND(a OR b,c OR d) . 


\ NB. NAND3 ft NAND4 are built-in functions \ 

\ **** Correct gate level implementation **** \ 

BLOCK MINOR = (bool: nextmnbar advance reset intrstbar) 
-> (~word3 : minor): 

BEGIN 

LET qbar_l :* NOT (minortl]), 

qbar_2 :* NOT (minor [2]), 

qbar_3 := NOT (minor [3]). 


LET gb2 
LET gb4 
LET gbl 
LET gb3 
LET gb7 
LET gb8 
LET gbll 
LET gbl 2 
LET gbl 3 


= INV(advance) . 

= INV(reset) . 

:= NAND4 (nextmnbar , advance ,gb4 , intrstbar) . 
:= NAND3(gb2 , gb4, intrstbar). 

= INV(qbar_l) . 

= EXNOR(qbar_l , qbar_2) 

= INV(qbar_2) . 

= NAND2(gb7 , gbll). 

:= EXN0R(gbl2 , qbar_3) . 


OUTPUT (0RNAND(gb7 , gbl, gb3, qbar.l) , 

0RNAND(gb8 , gbl. gb3, qbar_2) . 

ORNAND (gbl3 , gbl, gb3, qbar_3) 

) 

END. 
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\ .... Wrong gate level Implementation ***♦ \ 

BLOCK M.ERR - (bool: nextmnbar advance reset intrstbar) 
-> (~word3: minor): 

BEGIN r in 

LET qbar_l := NOT (minor [1J). 

qbar_2 :■ NOT (minor [2]), 

qbar_3 := NOT (minor [3]). 

LET gb2 :** INV(advance) . 

LET gb4 :* INV(reset). 

LET gbl NAND4 (nextmnbar .advance ,gb4 , intrstbar; 

LET gb3 :« NAND3(gb2 , gb4. intrstbar). 

LET gb7 INV(qbar_l) . 

\ ** Inverted qbar_2 ** \ 

LET gb8 :« EXNOR(qbar_l . NOT qbar_2) . 

LET gbll :* INV(qbar_2). 

\ ** Missing NAND with gb7 ** \ 

LET gbl2 gbll. 

LET gbl3 :* EXN0R(gbl2, qbar_3) . 

\ ** Inverted first output ** \ 

OUTPUT (N0T(0RNAND(gb7 , gbl, gb3. qbar.l)), 
0RNAND(gb8, gbl, gb3. qbar_2) , 
0RNAND(gbl3 , gbl, gb3, qbar_3) 

) 

END. 
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Specification: ’MINOR’ 


Implementation: ’M_ERR’ 


COMPARISON ERROR: Implementation output ’minor [1] 

is always incompatible with the specification of 
’minor [1]’; output inverted? 

COMPARISON ERROR: Implementation output ’minor [2]’ 

is incompatible with the specification of ’minor [2] 
under the following circumstances : - 

nextmainbar = t 
advance - t 
reset - f 
intresetbar “ t 

For specification output >minor[3)' - implementation 
output ’minor [3] ’ 

WARNING: Specification depends on minor [1] and 
implementation doesn’t 

COMPARISON ERROR: Implementation output ’minor [3] 
is incompatible with the specification of ’minor [3] 
under the following circumstances:- 

nextmainbar 58 t 
advance * t 
reset = f 
intresetbar = t 
minor [2] = f 

*** Comparison fails, invalid implementation *** 


5 


NODEN changes 


Negative integer subranges allowed 
E.g. TYPE i8 = INT[-128..127]. 

Automatic casts between types 
E.g. (t,t,f) + bool3_val + i8_val 

2’s compliment []bool to integer ops 

Explicit legal value, Ibool 

Compiler about four times faster. 

Analyer about twice as fast. 
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Old NODEN.HDL 


FN INCW0RD3 = (word3: minor) -> word3: 
IF (VAL3 minor) == 7 
THEN W0RD3 0 

ELSE W0RD3 ((VAL3 minor) + 1) 

FI. 

New NODEN_HDL 


FN INCW0RD3 = (word3: minor) -> word3: 

IF minor == 7 THEN 0 ELSE minor + 1 FI . 
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Why VIPER2? 

• Faster, 32 and 64 bit multiply 

• Improved interface to outside world 

• New design methods now available 
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Extra speed by .. 


• Instruction pre-fetch 


• Dedicated adders for P and indexing 


• Half-cycle overlaps rather than full cycle 


Speed more than 3x at same clock frequency 
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On-board Multiply Instructions 

Three separate instructions, F = 13, 14, 15 

• Signed, 32 bit product, stop on OVF 

• Unsigned, LS 32 bits of product 

• Unsigned, MS 32 bits of product 
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Improved interface 


• "Call on signal" instruction 


• "Frame restart" input 


• Longer setup and hold times on 
memory and I/O cycles 
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New design methods 


Top-down synthesis by correctness-preserving 
transformations 


• Starts from specification in MIRANDA 


• Generates proof as part of design process 


May scale up better than post hoc proof 
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VIPER 1A perspective 

The present chip falls in between the main 
application areas: 

• Automotive and comms: too expensive, 
minimum system too big (5 memory chips) 

• Avionics: not fast enough, no multiply 

• Space: about right, tiny market 
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